I tried to build an OpenVPN container with Docker.
You could see the configuration files below.
Dockerfile:
FROM ubuntu:20.04
RUN apt update \
&& apt install openvpn iptables -y \
&& apt clean
COPY server.conf /etc/openvpn/server/server.conf
COPY main.sh /tmp/main.sh
EXPOSE 1194
CMD ["/tmp/main.sh"]
main.sh:
#!/bin/sh
iptables -I FORWARD -j ACCEPT
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
openvpn /etc/openvpn/server/server.conf
server.conf:
# Which port to use
# The default value is 1194
# I use port 53, mimicking DNS traffic
# this setting sometimes helps to get around
# Captive Portals
port 1194
# TCP or UDP protocol. UDP recommended
;proto tcp-server
proto tcp
# No need to change
;dev tap
dev tun
# Keys: first goes the public key of the certificate authority
# then the public key of the server
# then server private key
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key # This file must be kept secret
#Diffie hellman parameters
dh /etc/openvpn/certs/dh2048.pem
# A virtual local area network will be created.
# Here are its parameters
# No need to change anything without special reasons
topology subnet
server 10.8.0.0 255.255.255.0
# When the server is restarted, the client will be assigned his previous IP address
ifconfig-pool-persist ipp.txt
# This setting makes it so that when connected to a VPN
# for clients, the VPN server becomes the default gateway
push "redirect-gateway def1 bypass-dhcp"
# Ping a remote node every 10 seconds
# and consider him fallen if he did not answer in 120 seconds
keepalive 10 120
# Additional protection for DoS attacks and UDP port flooding
# thanks to the creation of "HMAC firewall"
# by adding an additional signature to SSL/TLS
# ta.key file was created during key generation,
# it must also be delivered to every customer
remote-cert-tls client
tls-auth /etc/openvpn/certs/ta.key 0 # This file must be kept secret
# Store keys in memory, in case it does not work
# get access to them due to lower privileges
persist-key
persist-tun
# Short file of current status
# contains current connections
# clipped and overwritten every minute
status openvpn-status.log
# Verbality Level
#
# 0 silent, except fatal errors
# 4 is suitable for normal use.
# 5 and 6 help in debugging when solving connection problems
# 9 is extremely verbal
verb 4
I use the following command to run the container.
docker run -v /loc/to/certs:/etc/openvpn/certs --rm --cap-add=NET_ADMIN --device /dev/net/tun:/dev/net/tun -p 5656:1194 openvpn-image
The container is created normally and even I could connect to it with the OpenVPN client.
But the problem is the VPN doesn't have the Internet connection.
I am sure that the container has the Internet connection because I check it with curl command.
It seems there is a problem with the NAT and packets didn't forward to the eth0 interface.
I check /proc/sys/net/ipv4/ip_forward value and it was 1.
Also, I checked iptables -t nat -L -n -v and seems incoming packets are forwarded.
So I don't know what the problem is.
root@xxxxx:/# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 32271 packets, 1678K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
32270 1678K MASQUERADE all -- * eth0 10.8.0.0/24 0.0.0.0/0
root@xxxxx:/# iptables -L -n -v
Chain INPUT (policy ACCEPT 126K packets, 19M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
176K 8951K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 42584 packets, 3420K bytes)
pkts bytes target prot opt in out source destination
